Security restrictions for Tomcat

[alla winter <al...@gmail.com>]

Hello,
My application can crate report on a fly ( a file) for an authorized
clients.   The client authentication is conducted by the application  and
Tomcat is not involved in this process. Other clients may create a file in
the same directory, but the application will show the links only to  the
files that were created by this particular user ( the userID is a part of
the file name).  How can I ensure that others cannot view this file by just
typing the URL in the browser and list all the files under this directory?



I read about the possibility starting Tomcat with the security manager
(%CATALINA_HOME%\bin\catalina
start –security)  But It is not clear how to invoke the security manager for
the TOMCAT that is running as a service (C:\jakarta-
tomcat-5.0.28\bin\tomcat5.exe //RS//Tomcat5) and what exactly needs to be
added to the catalina.policy file  to set the needed restrictions.



I would appreciate any help for this matter.

thanks


P.S. I am using Tomcat 5.0.28 ; JDK 1.5.0_12   Tomcat is running as a
service under Windows 2003 server

Re: Security restrictions for Tomcat

[alla winter <al...@gmail.com>]

you guys are Awesome
thanks a lot.


On 9/26/07, Mitesh Shah <mi...@eclinicalworks.com> wrote:
>
>
> To disable directory listing, change tag value to 'false' for init
> parameter
> of listing in web.xml
>
>        <init-param>
>            <param-name>listings</param-name>
>            <param-value>FALSE</param-value>
>      </init-param>
>
>
> Mitesh Shah
> Hosted Services Engineer
> eClinicalWorks LLC
>
> -----Original Message-----
> From: alla winter [mailto:alla1.winter@gmail.com]
> Sent: Wednesday, September 26, 2007 2:00 PM
> To: Tomcat Users List; p@pidster.com
> Subject: Re: Security restrictions for Tomcat
>
> OK, I got it, the content type will do the trick.  Thanks
>
> But I would appreciate if you answer on my second question regarding the
> directory listing
> I can see all the directory listing except WEB-INF directory.  I am using
> all default XMLs for configuration without any changes, except web.xmlwere
> I defined my servlets.
> What should I do to disallow the directory listing?
> thanks
>
>
> On 9/26/07, Pid <p...@pidster.com> wrote:
> >
> > alla winter wrote:
> > > I am confused now
> > > web.xml instructs Tomcat what application needs to be called for a
> given
> > > MIME type
> >
> > No, unless you've got some weird setup on a windows machine Tomcat is
> > not opening MSWord.  The mime type is sent to the browser in an http
> > header, and the browser decides what to open it with.
> >
> > For example, if you didn't have MSWord installed, but had, say,
> > OpenOffice, you could find that OpenOffice opens the file.
> >
> > > for example:
> > > - <mime-mapping>
> > >   <extension>rtf</extension>
> > >   <mime-type>application/vnd.ms-word</mime-type>
> > >   </mime-mapping>
> > >
> > >  Tomcat pass the request to the  third party application based on the
> > MIME
> > > type, so if I show the link to the .RTF file and the user selects the
> > link,
> > > the Microsoft Word will display the selected file.  The same with PDF
> > files
> > > - the  the ADOBE reader is invoked
> > > My undesraning is that by writing file bytes to the servlet output, I
> am
> > > just creating and HTML file where the file content is a body of the
> HTML
> >
> > Again no, the output is handled by the browser - if you set:
> >
> > Content-Type: text/html
> >
> > the browser will do as it's told and try to process the output as an
> > HTML file.
> >
> >
> >
> > > But if I output the bytes of the file to the servlet output, it will
> > look
> > > the same way as I would open RTF file in the notepad - with all
> controll
> > > characters inside.
> > > Unless I am missing something here...
> >
> > Yes, the Content-Type header is the key to this.
> >
> > p
> >
> >
> > > As far as directory listing - yes, I do see the directory listing for
> > all
> > > folders that are underneath of my application except WEB-INF and I
> > didn't do
> > > any special set up for that - I am using all default XMLs except the
> > > web.xmlwhere I am defining my servlets.
> > >
> > > I appreciate your help.
> > > thanks
> > >
> > > On 9/26/07, Christopher Schultz <ch...@christopherschultz.net> wrote:
> > > Alla,
> > >
> > > alla winter wrote:
> > >>>> Thanks for the quick response.
> > >>>> So, I want to make sure that understand it right : you are
> proposing
> > > that
> > >>>> the servlet should  display the file, instead of allowing Tomcat to
> > > invoke
> > >>>> Microsoft Word to disply the file content.
> > > I think you are misunderstanding what is really going on at a
> > > fundamental level. Tomcat will never invoke Microsoft Word for any
> > > reason, unless you have something truly crazy going on in the
> > background.
> > >
> > > What I'm suggesting is that you write your own code to serve the
> > > contents of a static file. It's pretty simple: open the file, write
> the
> > > appropriate HTTP headers, copy the bytes to the servlet output stream,
> > > close all streams, and you are done.
> > >
> > >>>> The only issue with that is that
> > >>>> the file is created in the RTF format and it has control characters
> > that
> > >>>> governs the formatting.
> > > This is irrelevant. It doesn't matter if you are serving a text file
> or
> > > a PDF, you are just serving bytes to the web browser.
> > >
> > >>>> The second question was about how to set up TOMCAT not to allow the
> > >>>> directory listing
> > > Actually, I think you have to specifically enable directory listings.
> If
> > > you haven't enabled them, then you shouldn't be getting any. Are you
> > > able to get a directory listing?
> > >
> > > -chris
> > >
> > >>
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> > >>
> > >>
> >
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

RE: Security restrictions for Tomcat

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: alla winter [mailto:alla1.winter@gmail.com] 
> Subject: Re: Security restrictions for Tomcat
> 
> I can see all the directory listing except WEB-INF directory. 
> I am using all default XMLs for configuration without any
> changes, except web.xml were I defined my servlets.

Directory listings are disabled by default, as described in the
DefaultServlet section of the conf/web.xml file.  You have either set
the listings parameter to true, or you have overridden the
DefaultServlet with one of your own in your webapp's WEB-INF/web.xml
file, and that one is displaying the directory contents.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Security restrictions for Tomcat

[Mitesh Shah <mi...@eclinicalworks.com>]

To disable directory listing, change tag value to 'false' for init parameter
of listing in web.xml

	<init-param>
            <param-name>listings</param-name>
            <param-value>FALSE</param-value>
      </init-param>


Mitesh Shah
Hosted Services Engineer
eClinicalWorks LLC

-----Original Message-----
From: alla winter [mailto:alla1.winter@gmail.com] 
Sent: Wednesday, September 26, 2007 2:00 PM
To: Tomcat Users List; p@pidster.com
Subject: Re: Security restrictions for Tomcat

OK, I got it, the content type will do the trick.  Thanks

But I would appreciate if you answer on my second question regarding the
directory listing
I can see all the directory listing except WEB-INF directory.  I am using
all default XMLs for configuration without any changes, except web.xml were
I defined my servlets.
What should I do to disallow the directory listing?
thanks


On 9/26/07, Pid <p...@pidster.com> wrote:
>
> alla winter wrote:
> > I am confused now
> > web.xml instructs Tomcat what application needs to be called for a given
> > MIME type
>
> No, unless you've got some weird setup on a windows machine Tomcat is
> not opening MSWord.  The mime type is sent to the browser in an http
> header, and the browser decides what to open it with.
>
> For example, if you didn't have MSWord installed, but had, say,
> OpenOffice, you could find that OpenOffice opens the file.
>
> > for example:
> > - <mime-mapping>
> >   <extension>rtf</extension>
> >   <mime-type>application/vnd.ms-word</mime-type>
> >   </mime-mapping>
> >
> >  Tomcat pass the request to the  third party application based on the
> MIME
> > type, so if I show the link to the .RTF file and the user selects the
> link,
> > the Microsoft Word will display the selected file.  The same with PDF
> files
> > - the  the ADOBE reader is invoked
> > My undesraning is that by writing file bytes to the servlet output, I am
> > just creating and HTML file where the file content is a body of the HTML
>
> Again no, the output is handled by the browser - if you set:
>
> Content-Type: text/html
>
> the browser will do as it's told and try to process the output as an
> HTML file.
>
>
>
> > But if I output the bytes of the file to the servlet output, it will
> look
> > the same way as I would open RTF file in the notepad - with all controll
> > characters inside.
> > Unless I am missing something here...
>
> Yes, the Content-Type header is the key to this.
>
> p
>
>
> > As far as directory listing - yes, I do see the directory listing for
> all
> > folders that are underneath of my application except WEB-INF and I
> didn't do
> > any special set up for that - I am using all default XMLs except the
> > web.xmlwhere I am defining my servlets.
> >
> > I appreciate your help.
> > thanks
> >
> > On 9/26/07, Christopher Schultz <ch...@christopherschultz.net> wrote:
> > Alla,
> >
> > alla winter wrote:
> >>>> Thanks for the quick response.
> >>>> So, I want to make sure that understand it right : you are proposing
> > that
> >>>> the servlet should  display the file, instead of allowing Tomcat to
> > invoke
> >>>> Microsoft Word to disply the file content.
> > I think you are misunderstanding what is really going on at a
> > fundamental level. Tomcat will never invoke Microsoft Word for any
> > reason, unless you have something truly crazy going on in the
> background.
> >
> > What I'm suggesting is that you write your own code to serve the
> > contents of a static file. It's pretty simple: open the file, write the
> > appropriate HTTP headers, copy the bytes to the servlet output stream,
> > close all streams, and you are done.
> >
> >>>> The only issue with that is that
> >>>> the file is created in the RTF format and it has control characters
> that
> >>>> governs the formatting.
> > This is irrelevant. It doesn't matter if you are serving a text file or
> > a PDF, you are just serving bytes to the web browser.
> >
> >>>> The second question was about how to set up TOMCAT not to allow the
> >>>> directory listing
> > Actually, I think you have to specifically enable directory listings. If
> > you haven't enabled them, then you shouldn't be getting any. Are you
> > able to get a directory listing?
> >
> > -chris
> >
> >>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Security restrictions for Tomcat

[alla winter <al...@gmail.com>]

OK, I got it, the content type will do the trick.  Thanks

But I would appreciate if you answer on my second question regarding the
directory listing
I can see all the directory listing except WEB-INF directory.  I am using
all default XMLs for configuration without any changes, except web.xml were
I defined my servlets.
What should I do to disallow the directory listing?
thanks


On 9/26/07, Pid <p...@pidster.com> wrote:
>
> alla winter wrote:
> > I am confused now
> > web.xml instructs Tomcat what application needs to be called for a given
> > MIME type
>
> No, unless you've got some weird setup on a windows machine Tomcat is
> not opening MSWord.  The mime type is sent to the browser in an http
> header, and the browser decides what to open it with.
>
> For example, if you didn't have MSWord installed, but had, say,
> OpenOffice, you could find that OpenOffice opens the file.
>
> > for example:
> > - <mime-mapping>
> >   <extension>rtf</extension>
> >   <mime-type>application/vnd.ms-word</mime-type>
> >   </mime-mapping>
> >
> >  Tomcat pass the request to the  third party application based on the
> MIME
> > type, so if I show the link to the .RTF file and the user selects the
> link,
> > the Microsoft Word will display the selected file.  The same with PDF
> files
> > - the  the ADOBE reader is invoked
> > My undesraning is that by writing file bytes to the servlet output, I am
> > just creating and HTML file where the file content is a body of the HTML
>
> Again no, the output is handled by the browser - if you set:
>
> Content-Type: text/html
>
> the browser will do as it's told and try to process the output as an
> HTML file.
>
>
>
> > But if I output the bytes of the file to the servlet output, it will
> look
> > the same way as I would open RTF file in the notepad - with all controll
> > characters inside.
> > Unless I am missing something here...
>
> Yes, the Content-Type header is the key to this.
>
> p
>
>
> > As far as directory listing - yes, I do see the directory listing for
> all
> > folders that are underneath of my application except WEB-INF and I
> didn't do
> > any special set up for that - I am using all default XMLs except the
> > web.xmlwhere I am defining my servlets.
> >
> > I appreciate your help.
> > thanks
> >
> > On 9/26/07, Christopher Schultz <ch...@christopherschultz.net> wrote:
> > Alla,
> >
> > alla winter wrote:
> >>>> Thanks for the quick response.
> >>>> So, I want to make sure that understand it right : you are proposing
> > that
> >>>> the servlet should  display the file, instead of allowing Tomcat to
> > invoke
> >>>> Microsoft Word to disply the file content.
> > I think you are misunderstanding what is really going on at a
> > fundamental level. Tomcat will never invoke Microsoft Word for any
> > reason, unless you have something truly crazy going on in the
> background.
> >
> > What I'm suggesting is that you write your own code to serve the
> > contents of a static file. It's pretty simple: open the file, write the
> > appropriate HTTP headers, copy the bytes to the servlet output stream,
> > close all streams, and you are done.
> >
> >>>> The only issue with that is that
> >>>> the file is created in the RTF format and it has control characters
> that
> >>>> governs the formatting.
> > This is irrelevant. It doesn't matter if you are serving a text file or
> > a PDF, you are just serving bytes to the web browser.
> >
> >>>> The second question was about how to set up TOMCAT not to allow the
> >>>> directory listing
> > Actually, I think you have to specifically enable directory listings. If
> > you haven't enabled them, then you shouldn't be getting any. Are you
> > able to get a directory listing?
> >
> > -chris
> >
> >>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Security restrictions for Tomcat

[Pid <p...@pidster.com>]

alla winter wrote:
> I am confused now
> web.xml instructs Tomcat what application needs to be called for a given
> MIME type

No, unless you've got some weird setup on a windows machine Tomcat is
not opening MSWord.  The mime type is sent to the browser in an http
header, and the browser decides what to open it with.

For example, if you didn't have MSWord installed, but had, say,
OpenOffice, you could find that OpenOffice opens the file.

> for example:
> - <mime-mapping>
>   <extension>rtf</extension>
>   <mime-type>application/vnd.ms-word</mime-type>
>   </mime-mapping>
> 
>  Tomcat pass the request to the  third party application based on the MIME
> type, so if I show the link to the .RTF file and the user selects the link,
> the Microsoft Word will display the selected file.  The same with PDF files
> - the  the ADOBE reader is invoked
> My undesraning is that by writing file bytes to the servlet output, I am
> just creating and HTML file where the file content is a body of the HTML

Again no, the output is handled by the browser - if you set:

 Content-Type: text/html

the browser will do as it's told and try to process the output as an
HTML file.



> But if I output the bytes of the file to the servlet output, it will look
> the same way as I would open RTF file in the notepad - with all controll
> characters inside.
> Unless I am missing something here...

Yes, the Content-Type header is the key to this.

p


> As far as directory listing - yes, I do see the directory listing for all
> folders that are underneath of my application except WEB-INF and I didn't do
> any special set up for that - I am using all default XMLs except the
> web.xmlwhere I am defining my servlets.
> 
> I appreciate your help.
> thanks
> 
> On 9/26/07, Christopher Schultz <ch...@christopherschultz.net> wrote:
> Alla,
> 
> alla winter wrote:
>>>> Thanks for the quick response.
>>>> So, I want to make sure that understand it right : you are proposing
> that
>>>> the servlet should  display the file, instead of allowing Tomcat to
> invoke
>>>> Microsoft Word to disply the file content.
> I think you are misunderstanding what is really going on at a
> fundamental level. Tomcat will never invoke Microsoft Word for any
> reason, unless you have something truly crazy going on in the background.
> 
> What I'm suggesting is that you write your own code to serve the
> contents of a static file. It's pretty simple: open the file, write the
> appropriate HTTP headers, copy the bytes to the servlet output stream,
> close all streams, and you are done.
> 
>>>> The only issue with that is that
>>>> the file is created in the RTF format and it has control characters that
>>>> governs the formatting.
> This is irrelevant. It doesn't matter if you are serving a text file or
> a PDF, you are just serving bytes to the web browser.
> 
>>>> The second question was about how to set up TOMCAT not to allow the
>>>> directory listing
> Actually, I think you have to specifically enable directory listings. If
> you haven't enabled them, then you shouldn't be getting any. Are you
> able to get a directory listing?
> 
> -chris
> 
>>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Security restrictions for Tomcat

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alla,

alla winter wrote:
> I am confused now
> web.xml instructs Tomcat what application needs to be called for a given
> MIME type

Nope. This is mapping file extensions to MIME types. Totally different.
Notice that you don't see "msword.exe" anywhere in the MIME type mapping.

> Tomcat pass the request to the  third party application based on the MIME
> type, so if I show the link to the .RTF file and the user selects the link,
> the Microsoft Word will display the selected file.

This is all done by your web browser, in a totally different way.

> My undesraning is that by writing file bytes to the servlet output, I am
> just creating and HTML file where the file content is a body of the HTML

Wrong again. You are serving bytes. As long as you tell the browser the
proper MIME type (via the Content-Type HTTP header), everything will
work out just fine.

> Unless I am missing something here...

Yes, you are confusing what happens on the server with what happens on
the client.

> As far as directory listing - yes, I do see the directory listing for all
> folders that are underneath of my application except WEB-INF and I didn't do
> any special set up for that - I am using all default XMLs except the
> web.xmlwhere I am defining my servlets.

Perhaps Tomcat 5.0 still has the "default" servlet enabled by default.
We'll deal with that once your bigger problems are taken care of.

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG+q7N9CaO5/Lv0PARAgoIAKDAr/mnYf8TWjInLN12jtAKJjNf0wCdHk53
b2zMBXhWML72FQ2jV8CfeZY=
=p+yb
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Security restrictions for Tomcat

[alla winter <al...@gmail.com>]

I am confused now
web.xml instructs Tomcat what application needs to be called for a given
MIME type
for example:
- <mime-mapping>
  <extension>rtf</extension>
  <mime-type>application/vnd.ms-word</mime-type>
  </mime-mapping>

 Tomcat pass the request to the  third party application based on the MIME
type, so if I show the link to the .RTF file and the user selects the link,
the Microsoft Word will display the selected file.  The same with PDF files
- the  the ADOBE reader is invoked
My undesraning is that by writing file bytes to the servlet output, I am
just creating and HTML file where the file content is a body of the HTML

But if I output the bytes of the file to the servlet output, it will look
the same way as I would open RTF file in the notepad - with all controll
characters inside.
Unless I am missing something here...


As far as directory listing - yes, I do see the directory listing for all
folders that are underneath of my application except WEB-INF and I didn't do
any special set up for that - I am using all default XMLs except the
web.xmlwhere I am defining my servlets.

I appreciate your help.
thanks

On 9/26/07, Christopher Schultz <ch...@christopherschultz.net> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Alla,
>
> alla winter wrote:
> > Thanks for the quick response.
> > So, I want to make sure that understand it right : you are proposing
> that
> > the servlet should  display the file, instead of allowing Tomcat to
> invoke
> > Microsoft Word to disply the file content.
>
> I think you are misunderstanding what is really going on at a
> fundamental level. Tomcat will never invoke Microsoft Word for any
> reason, unless you have something truly crazy going on in the background.
>
> What I'm suggesting is that you write your own code to serve the
> contents of a static file. It's pretty simple: open the file, write the
> appropriate HTTP headers, copy the bytes to the servlet output stream,
> close all streams, and you are done.
>
> > The only issue with that is that
> > the file is created in the RTF format and it has control characters that
> > governs the formatting.
>
> This is irrelevant. It doesn't matter if you are serving a text file or
> a PDF, you are just serving bytes to the web browser.
>
> > The second question was about how to set up TOMCAT not to allow the
> > directory listing
>
> Actually, I think you have to specifically enable directory listings. If
> you haven't enabled them, then you shouldn't be getting any. Are you
> able to get a directory listing?
>
> - -chris
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFG+op/9CaO5/Lv0PARAjKYAKCiAakzT34vnC6U2Qz6cN2LpNL6hQCdGDGi
> gkHO3hS4/W3Y4auUSX2Y/oA=
> =Rrq5
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Security restrictions for Tomcat

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alla,

alla winter wrote:
> Thanks for the quick response.
> So, I want to make sure that understand it right : you are proposing that
> the servlet should  display the file, instead of allowing Tomcat to invoke
> Microsoft Word to disply the file content.

I think you are misunderstanding what is really going on at a
fundamental level. Tomcat will never invoke Microsoft Word for any
reason, unless you have something truly crazy going on in the background.

What I'm suggesting is that you write your own code to serve the
contents of a static file. It's pretty simple: open the file, write the
appropriate HTTP headers, copy the bytes to the servlet output stream,
close all streams, and you are done.

> The only issue with that is that
> the file is created in the RTF format and it has control characters that
> governs the formatting.

This is irrelevant. It doesn't matter if you are serving a text file or
a PDF, you are just serving bytes to the web browser.

> The second question was about how to set up TOMCAT not to allow the
> directory listing

Actually, I think you have to specifically enable directory listings. If
you haven't enabled them, then you shouldn't be getting any. Are you
able to get a directory listing?

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG+op/9CaO5/Lv0PARAjKYAKCiAakzT34vnC6U2Qz6cN2LpNL6hQCdGDGi
gkHO3hS4/W3Y4auUSX2Y/oA=
=Rrq5
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Security restrictions for Tomcat

[alla winter <al...@gmail.com>]

Thanks for the quick response.
So, I want to make sure that understand it right : you are proposing that
the servlet should  display the file, instead of allowing Tomcat to invoke
Microsoft Word to disply the file content. The only issue with that is that
the file is created in the RTF format and it has control characters that
governs the formatting.

The second question was about how to set up TOMCAT not to allow the
directory listing

thanks for your help


On 9/26/07, Christopher Schultz <ch...@christopherschultz.net> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Alla,
>
> alla winter wrote:
> > I would appreciate if you would give me some hints how this dispatcher
> > servlet should work.
>
> How about this:
>
> 1. Check user id against requested path.
> a. Return FORBIDDEN for unauthorized access
> b. Open file and serve bytes to authorized users
> 2. Configure this servlet to serve all URLs like /content/*
>   or something like that, instead of allowing Tomcat
>   to serve content from the /content directory.
>
> > Also, what needs to be done to restrict Tomcat to list the directories
> that
> > contain java script and images.
>
> What do you mean? You want people to be able to get directory listings
> for certain directories?
>
> - -chris
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFG+oRC9CaO5/Lv0PARApDAAJ9AetKdT4vXe6v9Kmy0lEGB2Dbw/wCeJRk7
> fnIa5GJLKAxlUzV69frZJmo=
> =q5+j
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Security restrictions for Tomcat

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alla,

alla winter wrote:
> I would appreciate if you would give me some hints how this dispatcher
> servlet should work.

How about this:

1. Check user id against requested path.
 a. Return FORBIDDEN for unauthorized access
 b. Open file and serve bytes to authorized users
2. Configure this servlet to serve all URLs like /content/*
   or something like that, instead of allowing Tomcat
   to serve content from the /content directory.

> Also, what needs to be done to restrict Tomcat to list the directories that
> contain java script and images.

What do you mean? You want people to be able to get directory listings
for certain directories?

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG+oRC9CaO5/Lv0PARApDAAJ9AetKdT4vXe6v9Kmy0lEGB2Dbw/wCeJRk7
fnIa5GJLKAxlUzV69frZJmo=
=q5+j
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Security restrictions for Tomcat

[alla winter <al...@gmail.com>]

I would appreciate if you would give me some hints how this dispatcher
servlet should work.
Also, what needs to be done to restrict Tomcat to list the directories that
contain java script and images.
thanks


On 9/26/07, Mikolaj Rydzewski <mi...@ceti.pl> wrote:
>
> alla winter wrote:
> > My application can crate report on a fly ( a file) for an authorized
> > clients.   The client authentication is conducted by the
> application  and
> > Tomcat is not involved in this process. Other clients may create a file
> in
> > the same directory, but the application will show the links only to  the
> > files that were created by this particular user ( the userID is a part
> of
> > the file name).  How can I ensure that others cannot view this file by
> just
> > typing the URL in the browser and list all the files under this
> directory?
> >
> Just do not create files in work readable directory. Store files
> somewhere outside application directory and display them with some kind
> of dispatcher servlet.
>
> --
> Mikolaj Rydzewski <mi...@ceti.pl>
>
>
>

Re: Security restrictions for Tomcat

[Mikolaj Rydzewski <mi...@ceti.pl>]

alla winter wrote:
> My application can crate report on a fly ( a file) for an authorized
> clients.   The client authentication is conducted by the application  and
> Tomcat is not involved in this process. Other clients may create a file in
> the same directory, but the application will show the links only to  the
> files that were created by this particular user ( the userID is a part of
> the file name).  How can I ensure that others cannot view this file by just
> typing the URL in the browser and list all the files under this directory?
>   
Just do not create files in work readable directory. Store files 
somewhere outside application directory and display them with some kind 
of dispatcher servlet.

-- 
Mikolaj Rydzewski <mi...@ceti.pl>